What are the knowledge points for web security testing?

What is security testing?

Security testing is to provide evidence that the application can still fully meet its needs in the face of hostile and malicious input.

a. How to provide evidence? We use a set of failed security test case execution results to prove that the web application does not meet security requirements.

b. How do you view the need for security testing? Security testing is more dependent on requirements than functional testing because it has more possible inputs and outputs to sift through.

True software security actually refers to risk management, that is, we can ensure that the security of the software meets business needs.

How to carry out security testing?

Adding security test cases based on common attacks and vulnerabilities combined with actual practice is how to turn security testing into a simple and common part of daily functional testing.

Select special boundary values ​​with security significance, as well as special equivalence classes with security significance, and integrate these into our test planning and test strategy processes.

But if security testing is performed on the basis of functional testing, a large number of test cases need to be added. This means that two things must be done to make it manageable: narrowing the focus and automating the tests.

What testing points should usually be considered in Web security testing?

1. Problem: Unvalidated input
Test method:

Data type (string, integer, real number, etc.)
Allowed character set

Minimum and maximum length
Whether empty input is allowed
Whether the parameter is required
Whether repetition is allowed
Value range
Specific value (enumeration type)
Specific Pattern (regular expression)

2. Problem: Problematic access control

Test method:

is mainly used for pages that need to verify user identity and permissions. Copy this The URL address of the page. After closing the page, check whether you can directly enter the copied address.
Example: You can see the URL address in the gap from one page to another page. Enter the address directly and you can see yourself. Page information without permission

3, incorrect authentication and session management

Example: The input boxes of Grid, Label, and Tree view classes are not verified, and the input content will be parsed according to html syntax Come out
4. Buffer overflow

Key data is not encrypted

Example: view-source: http address can view the source code, enter the password on the page, the page displays *** **, right-click and view the source file to see the password you just entered

5. Denial of Service

Analysis: An attacker can generate enough traffic from a host to consume many applications program, eventually paralyzing the program, and load balancing is required to deal with
6. Insecure configuration management

Analysis: The link string in Config as well as user information, email, and data storage information need to be Protect.

What programmers should do: Configure all security mechanisms, turn off all unused services, set up role permission accounts, use logs and alerts

Analysis: Users use buffer overflow to cause damage The web application stack, by sending specially written code to the web program, the attacker can let the web application execute arbitrary code

7. Injection vulnerability
Example: a page to verify user login ,

If the sql statement used is:

Select * from table A where username＝'' username '' and pass word .....

Sql input' or 1 =1 - You can attack without entering any password

8. Improper exception handling

Analysis: When the program throws an exception, it gives a relatively detailed internal error message. Exposed execution details that should not be displayed, the website has potential vulnerabilities

9. Insecure storage

Analysis: Account list, the system should not allow users to browse to all accounts on the website, if necessary For a list of users, it is recommended to use some form of pseudonym (screen name) to point to the actual account.

Browser cache: Authentication and session data should not be sent as part of GET, POST should be used

10. Problem: Cross-site scripting (XSS)

Analysis: Attackers use cross-site scripting to send malicious code to unsuspecting users and steal any information on their machines

Test method:

HTML tag: <…>…

Escape characters: &(&);<(<);>(>); (space);

Script language:

…Alert('')

Special characters: ' ' < > /

Minimum and maximum length

Whether empty input is allowed

The above is the detailed content of What are the knowledge points for web security testing?. For more information, please follow other related articles on the PHP Chinese website!